SCENARIO: A federal agency responsible for coordinating technical support for the safety and health of personnel responding to the clean-up and recovery operations following the destruction of Hurricane Katrina along the Gulf Coast of the United States was in need of compliance and certification assistance.
This agency’s technical data center contracted Wilson Consulting Group (WCG) to provide a variety of turn-key certification and accreditation compliance services. WCG reviewed, verified, and tested the security controls (management, operational, and technical) of the electronic docket management system and related systems serving the agency’s Directorate of Science, Technology and Medicine (DSTM).
WCG STRATEGY/SOLUTION: WCG performed a variety of services, including system documentation assessment, security certification and accreditation, and other tests to assess the effectiveness of the DSTM security controls. The tests included vulnerability assessments and penetration testing,where appropriate. WCG made recommendations for cost-effective solutions for correcting identified vulnerabilities.As a direct result of the quality of these efforts, WCG was retained to provide remediation services.
WCG provided guidance and documentation to assist the agency in obtaining Authority to Operate (ATO) certification for several of the agency’s systems.
ATO certification requires that systems be tested to verify compliance with applicable federal management, operational, and technical security guidelines, regulations, and controls. These guidelines included, but were not limited to:
- OMB Circulation A – 130, Management of Federal Information Resources
- Department of Labor (DOL) Computer Security Handbook
- DOL System Development Lifecycle Manual (SDLCM)
- DOL Technical Security Standards Manual
- NIST SP 800-30, Risk Management Guide for IT Systems
- NIST FIPS 31, Guidelines for ADP Physical Security and Risk Management
- NIST SP 800-37 (draft), Guidelines for Security Accreditation of IT Systems
- NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems
- Administration Procedures Act
- Title 29, Code of Federal Regulations, Part 70
- Information Technology Management Reform Act of 1996
- Privacy Act of 1974
- Computer Fraud & Abuse Act of 1986, as amended
- Freedom of Information Act, as amended
- E-Government Act of 2002
- Department of Labor Technical Security Standards Manual (TSSM)
- Department of Labor FIPS 199/Security Self-Assessment (MS Access)
- Federal Information Processing Standards (FIPS 199)
- NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems”
- NIST Special Publication 800-60, “Guide for Mapping Types of Information & Information Systems to Security Controls”
The goal of the system vulnerability assessment was to examine the information system’s security infrastructure to determine its ability to prevent breaches.
The security assessment addressed information systems-related findings and recommendations outlined inrecent Office of the Inspector General (OIG) reports. These included:
- DOL and Occupational Safety and Health Administration (OSHA)security policies and procedures, and their enforcement
- Emergency response and recovery plans
- Physical security of facilities and equipment housing the information systems
- Use of the applications security features, including user administration and access control
- Level of user awareness and technical personnel training in security issues and technology
- Use and protection of all outside connections, including access via LANS, dial-up, and individual workstations/servers
- Susceptibility to non-technical attacks
- Unintended use of the information systems by OSHA personnel
RESULTS: WCG successfully examined, evaluated, documented, and prepared certification and accreditation tests, procedures, and approvals for the complex multi-tiered records management applications within the agency’s environment. We provided guidance and documentation to assist the agency in obtaining ATO certification for the following systems:
- OHMS (the agency’s health monitoring system)
- Salt Lake Technical System (SLTS)
- TESS (Technical Equipment Support System)
- MAO (Medical Access Order)
The project was delivered on time, on budget, and to the government’s specifications. Due to the quality and timeliness of our work, WCG was asked to expand the scope of services provided to the agency.